[185843] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Sat Nov 14 12:28:11 2015
X-Original-To: nanog@nanog.org
Date: Sat, 14 Nov 2015 18:26:40 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Jean-Francois Mezei <jfmezei_nanog@vaxination.ca>
In-Reply-To: <5646D656.2020905@vaxination.ca>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sat, Nov 14, 2015 at 01:36:06AM -0500,
Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote
a message of 71 lines which said:
> Loto Québec is supposed to be testing for compliance, and I am not
> sure how they will do that short of having a subscription to every
> ISP that sells services in Québec.
They will simply use RIPE Atlas probes, as we all do to test our
networks from the outside.
Here, Bulgaria, where the mandatory blocking of gambling Web sites is
far from perfect (the right IP address is 5.226.176.16):
% python resolve-name.py --requested=500 --country=BG www.bet365.com
Measurement #2930308 for www.bet365.com/A uses 94 probes
[] : 1 occurrences
[193.24.240.122] : 1 occurrences
[84.54.148.18] : 1 occurrences
[212.73.128.166] : 1 occurrences
[212.39.93.34] : 3 occurrences
[ERROR: SERVFAIL] : 1 occurrences
[5.226.176.16] : 75 occurrences
[127.0.0.1] : 4 occurrences
Test done at 2015-11-14T17:14:20Z
A few lying DNS resolvers but not much.
> (Maybe they think they only have to test 3 ISPs, (telcos and
> cablecos) and don't realise they have over 100 ISPs to test for
> compliance).
My experience with these sort of organisations is that they don't care
about 100 % compliance. They're only interested in "good enough" (the
three largest ISPs...)
